john (John the Ripper) — a password cracker for Linux and Windows

John the Ripper (a.k.a. JtR, or simply john) is a popular fast password cracker for both Linux and Windows. It is quite useful for identifying weak passwords. By weak, I mean ones that do not take a long time to crack. In this article I will show you how to install and use John the Ripper utility to crack weak passwords.

Installation

If you do not have john installed by default then do not worry, just read on, as in this section I will explain in detail how to get john installed. Lets start with a no fuss install procedure, i.e. lets use a package manager such as Apt or Yum. To install john using Apt run the following command.

sudo apt-get install john  # ©2021 gnulinux.ro

The output of the installer is shown below.

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed: john
0 upgraded, 1 newly installed, 0 to remove and 15 not upgraded.
Need to get 547kB of archives.
After unpacking 1155kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com gutsy/main john 1.6-40.1ubuntu2 [547kB]
Fetched 547kB in 0s (1183kB/s)
Selecting previously deselected package john.
(Reading database ... 142662 files and directories currently installed.)
Unpacking john (from .john_1.6-40.1ubuntu2_i386.deb) ...
Setting up john (1.6-40.1ubuntu2) ...

If you are using Yum package manager, then try the following command instead.

sudo yum install john  # ©2021 gnulinux.ro

You could also compile and install john from source distribution. First, you will need to download the source code from http://www.openwall.com/john. Use wget for that.

wget http://www.openwall.com/john/f/john-1.7.2.tar.bz2  # ©2021 gnulinux.ro

The output of wget will look something like this:

--23:22:35--  http://www.openwall.com/john/f/john-1.7.2.tar.bz2
Resolving www.openwall.com... 195.42.179.202
Connecting to www.openwall.com|195.42.179.202|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 691706 (675K) [application/octet-stream]
Saving to: `john-1.7.2.tar.bz2'

100%[=======================================================>] 691,706  --.-K/s in 0.06s

23:22:35 (10.7 MB/s) - `john-1.7.2.tar.bz2' saved [691706/691706]

Note that at the time of writing of this article the current version of john was 1.7.2. You may wish to check for the latest version at http://www.openwall.com/john and get that. Anyhow, once you have the sources, extract the tar.bz2 archive using tar as follows.

tar xjf john-1.7.2.tar.bz2  # ©2021 gnulinux.ro

Then go into the source sub-directory.

cd john-1.7.2/src  # ©2021 gnulinux.ro

Once there, run make.

make  # ©2021 gnulinux.ro

This will produce a long list of supported architectures, a fragment of which is shown below.

To build John the Ripper, type: make clean SYSTEM
where SYSTEM can be one of the following:
linux-x86-sse2           Linux, x86 with SSE2 (best)
linux-x86-mmx            Linux, x86 with MMX
linux-x86-any            Linux, x86
linux-x86-64             Linux, AMD x86-64 with SSE2
...
generic                  Any other Unix-like system with gcc

Pick one that suits you (i.e. one matching your architecture) and use it as follows to build john.

make clean linux-x86-any  # ©2021 gnulinux.ro

Once the compilation process is complete go the the run subdirectory.

cd run  # ©2021 gnulinux.ro 

List its content using ls.

ls -la  # ©2021 gnulinux.ro

It should look something similar to the following.

total 1228
drwx------ 2 florin florin   4096 Nov 22 00:03 .
drwx------ 5 florin florin   4096 May 22  2006 ..
lrwxrwxrwx 1 florin florin      4 Nov 22 00:03 unafs -> john
lrwxrwxrwx 1 florin florin      4 Nov 22 00:03 unique -> john
lrwxrwxrwx 1 florin florin      4 Nov 22 00:03 unshadow -> john
-rw------- 1 florin florin 341064 Dec 17  2005 all.chr
-rw------- 1 florin florin 232158 Dec 17  2005 alnum.chr
-rw------- 1 florin florin 131549 Dec 17  2005 alpha.chr
-rw------- 1 florin florin  40391 Dec 17  2005 digits.chr
-rwx------ 1 florin florin 212440 Nov 22 00:03 john
-rw------- 1 florin florin  15087 Mar  2  2006 john.conf
-rw------- 1 florin florin 215982 Dec 17  2005 lanman.chr
-rwx------ 1 florin florin    785 Dec  2  1998 mailer
-rw------- 1 florin florin  22346 Dec 17  2005 password.lst

The built john binary should be there along with some test files. To check that john is working correctly, execute the following command from the run subdirectory.

./john --test  # ©2021 gnulinux.ro

This will produce test results for various encryption algorithms.

Benchmarking: Traditional DES [24/32 4K]... DONE
Many salts:     143872 c/s real, 145619 c/s virtual
Only one salt:  125004 c/s real, 137066 c/s virtual

Benchmarking: BSDI DES (x725) [24/32 4K]... DONE
Many salts:     3164 c/s real, 4733 c/s virtual
Only one salt:  3902 c/s real, 4505 c/s virtual

Benchmarking: FreeBSD MD5 [32/32]... DONE
Raw:    2416 c/s real, 3481 c/s virtual

Benchmarking: OpenBSD Blowfish (x32) [32/32]... DONE
Raw:    216 c/s real, 233 c/s virtual

Benchmarking: Kerberos AFS DES [24/32 4K]... DONE
Short:  95129 c/s real, 134363 c/s virtual
Long:   366100 c/s real, 392697 c/s virtual

Benchmarking: NT LM DES [32/32 BS]... DONE
Raw:    1927K c/s real, 2594K c/s virtual

Copy the john binary to some executable path for future use. Voilà!

Using john to find weak passwords (i.e. to crack passwords)

Type in john at the shell. This will produce john’s detailed usage information.

Created directory: /home/florin/.john
John the Ripper password cracker, version 1.7.0.2
Copyright (c) 1996-2006 by Solar Designer and others
Homepage: http://www.openwall.com/john/

Usage: john [OPTIONS] [PASSWORD-FILES]
--single                   "single crack" mode
--wordlist=FILE --stdin    wordlist mode, read words from FILE or stdin
--rules                    enable word mangling rules for wordlist mode
--incremental[=MODE]       "incremental" mode [using section MODE]
--external=MODE            external mode or word filter
--stdout[=LENGTH]          just output candidate passwords [cut at LENGTH]
--restore[=NAME]           restore an interrupted session [called NAME]
--session=NAME             give a new session the NAME
--status[=NAME]            print status of a session [called NAME]
--make-charset=FILE        make a charset, FILE will be overwritten
--show                     show cracked passwords
--test                     perform a benchmark
--users=[-]LOGIN|UID[,..]  [do not] load this (these) user(s) only
--groups=[-]GID[,..]       load users [not] of this (these) group(s) only
--shells=[-]SHELL[,..]     load users with[out] this (these) shell(s) only
--salts=[-]COUNT           load salts with[out] at least COUNT passwords only
--format=NAME              force ciphertext format NAME: DES/BSDI/MD5/BF/AFS/LM
--save-memory=LEVEL        enable memory saving, at LEVEL 1..3

Basically john is used as follows.

john [options] password-files  # ©2021 gnulinux.ro

Lets begin by adding a new user called test.

sudo useradd test

Now lets set test’s password to something really easy (i.e. something that is in john’s password dictionary, and thus will get broken real quick). How about… joes? Run:

sudo passwd test  # ©2021 gnulinux.ro

and enter joes as a password.

Enter new UNIX password: joes
Retype new UNIX password: joes
passwd: password updated successfully

On modern Linux systems, passwords are shadowed, i.e. password hashes are stored in the /etc/shadow file. You will need root privileges to access this file. An example fragment of this file is given below.

root:$1$hw1na4sdT$ms4dp3Vda1v4d3rKDgfsRS/mUj/9.:13833:0:99999:7:::
...
florin:$1$t2po.u3v$lk1ke3a5mj5ghs8ZaR5k7kjg/:13833:0:99999:7:::
...
test:$1$Ms6pYWKS$KZcUUyXUHsqDkZDw.gqeo/:13838:0:99999:7:::

Run the following command to get crack’n…

sudo john /etc/shadow  # ©2021 gnulinux.ro

Now, each time you press enter, john will print out the password it is currently trying, as shown below. Also shown below is one password found: joes.

Loaded 3 passwords with 3 different salts (FreeBSD MD5 [32/32])
guesses: 0  time: 0:00:00:02 85% (1)  c/s: 3231  trying: R9999909
guesses: 0  time: 0:00:00:03 0% (2)  c/s: 2992  trying: bond007
joes             (test)
guesses: 1  time: 0:00:00:21 19% (2)  c/s: 2636  trying: school!
Session aborted

john caches found passwords so that you can request them at a later time without a delay. Use the following command to see cached passwords.

sudo john --show /etc/shadow  # ©2021 gnulinux.ro

The output of the above command is shown below.

test:joes:13838:0:99999:7:::
1 password cracked, 2 left

For more detailed usage examples see http://www.openwall.com/john/doc/EXAMPLES.shtml.

Enjoy!